[geeklog-devel] GL2 ACL

Vincent Furia vfuria at gmail.com
Mon Dec 13 23:54:37 EST 2004

On Mon, 13 Dec 2004 19:54:25 -0600, Tony Bibbs <tony at tonybibbs.com> wrote:
> Vinny, is this still the direction you are thinking of? If so I have a
> question:
Yes, I'll do my best to answer.

> - the acl table listed has an id field as the PK.  Right after that is
> an item field which, I assume is a foreign key to the item table.  So
> what's the relation between the acl table and item table?  1-to-1?
> 1-to-many?
1 item can have many rows in the acl table.

> - So your goal, to be clear, is to be able to, on a user-by-user bases
> or group-by-group basis control access to an item.  What's the
> performance implication on this?
Actually I don't think performance will be a problem.  All that needs
to be done is a single SQL call with a straight join or two DB calls. 
I suspect that Propel will do the latter.  In any case the select
(and/or join) will be on table indices so it will be very fast.  When
I first started out with this idea I did a sample using 1.3.x's
article table and making a basic acl table.  The difference between
getting the permissions via 1.3.x methods vs. with acls was not
noticible until I was selecting hundreds of articles and even then I
wouldn't call the difference a huge performance hit.  Unfortunately I
think I lost that code...

> For the others on the list, this has nothing to do with the
> Auth_Enterprise work that has been done.  Auth_Enterprise controls
> access to the application, the ACL's build on that by providing detailed
> item-level security.
Yes, though I still will argue that Geeklog should keep a
"permissions" table (story.edit, etc) internally and ACLs should be
kept against that as well.  But I bet Tony and I will talk about that
later. :)

And so people know where I got most of these ideas: I did a lot of
work with the Andrew File System (AFS) in school, and grew to really
like the granularity of its permissions system.  Heres a web site that
goes into the basics of that:
http://www.psc.edu/general/filesys/afs/setpermissions.html.  Hopefully
you'll be able to see what I was shooting for.


More information about the geeklog-devel mailing list